When the GDPR (General Data Protection Regulation) took effect in 2018, there were suggestions that it would revolutionise the information security landscape.
People were warned that if they didn’t meet its strict requirements, they could face multimillion-euro fines that could put them out of business.
In the three years since the Regulation took effect, there have only been a handful of fines on that scale, and it’s led to some criticising the GDPR for not living up to its billing.
However, that doesn’t give a true assessment of the Regulation’s effect. It was never solely about penalising huge corporations and issuing massive fines. It was looking equally at smaller organisations’ ability to better protect people’s personal data.
Although most of the public dissemination of the GDPR has focused on headline-grabbing stories such as the €746 million fine levied against Amazon. But beyond that, there have been countless penalties issued on a more modest scale.
According to IT Governance’s figures, there were at least 429 GDPR fines issued in 2021, and the median penalty was €2,000.
This proves that enforcement action is occurring regularly and that organisations must continue to monitor their GDPR compliance status.
What’s the current status on the GDPR?
The 429 GDPR fines issued last year resulted in fines totalling €1,098,942,386.84. This compares to 306 fines in 2020 totalling €182,546,779 – a sevenfold increase.
It’s worth emphasising that the rise in regulatory penalties is almost certainly linked to the data protection issues that organisations have faced as a result of COVID-19.
Many organisations that shifted to fully remote or hybrid working solutions in 2020 struggled to mitigate the new data security challenges they faced – especially if they had little or no existing infrastructure to support homeworkers.
The ongoing pressures of a hostile operational environment meant organisations struggled to adjust in 2021, as a second wave of COVID-19 infections swelled and many European countries locked down yet again.
This combined with a significant increase in cyber attacks by criminals seeking to exploit the pandemic. We saw countless examples of cyber criminals taking advantage of the situation, with many attacks targeting people’s uncertainty and their inability to rely on robust in-house security defences.
What will happen in 2022?
We expect the first few months of this year to look a lot like 2021, because regulatory enforcement takes time.
It generally takes the supervisory authorities a minimum of six months to thoroughly investigate a GDPR breach, from the time of the initial report to the announcement of fines. In the case of large-scale incidents, it can take much longer.
As such, the fines issued in the first six months of 2022 will relate to incidents that during the pandemic.
However, with the success of the COVID-19 vaccine rollout and the diminishing effects of variants, we should expect business to return – at least somewhat – to how it was pre-pandemic.
Many organisations will continue to offer remote work options, but their operations will be much less clouded by uncertainty. Permanent solutions can be implemented, and these will tend to be more clearly thought out and robust.
Meanwhile, we’ll move further away from the leniency than some regulatory bodies demonstrated at the start of the pandemic. There will be fewer excuses for data breaches or improper data protection practices, and penalties will be more severe.
How these twin forces will affect the regulatory landscape remain to be seen. Will GDPR penalties decrease as a consequence of stronger defences, or will they increase through tougher regulation?
The answer depends on organisations’ ability to address information security concerns in line with regulatory requirements. Those that continue to adapt to their environment will reap the benefits, whereas organisations that fail to invest in security will come under fire.
Maintaining GDPR compliance
For organisations seeking advice meeting their GDPR compliance requirements, IT Governance is here to help.
Our GDPR Staff Awareness E-learning Course is a great place to start, as it helps you deliver data protection training to your staff in a quick and affordable way.
The course aims to provide non-technical staff with a complete foundation on the principles, roles, responsibilities and processes under the GDPR, reducing your organisation’s risk of non-compliance.
Meanwhile, you should be considering the other mechanisms you can use to protect your staff. Effective processes and policies are an essential complement to staff training, while technological solutions can filter out threats before they reach employees’ inboxes.
Additionally, it’s advisable to have a strategy in case an employee does fall victim. The faster you are able to identify and contain the threat, the smaller the disruption will be.
This is where business continuity planning helps. It ensures that you know how to respond in the event of a data breach – whether it’s a phishing attack, ransomware or a technical malfunction – and that everybody understands their responsibilities.
If you’re looking for help implementing any of these, or simply want to know more about the steps you can take to protect your organisation, IT Governance is here to help.
Our website provides tips on the lessons you can learn from 2021 and tools that can bolster your defences, including staff awareness training, documentation toolkits and consultancy packages.